Sentinel across multiple environments

%3CLINGO-SUB%20id%3D%22lingo-sub-2274229%22%20slang%3D%22en-US%22%3ESentinel%20across%20multiple%20environments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2274229%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20planning%20a%20new%20Azure%20presence.%20Each%20of%20our%20environments%20is%20distinct%20(Prod%2FPre-Prod%2FNon-Prod)%20within%20different%20subscriptions%20with%20each%20having%20its%20own%20Log%20Analytic%20Workspace.%20When%20looking%20at%20how%20we%20do%20SIEM%20with%20Sentinel%20we%20have%20discovered%20the%20one-to-one%20relationship%20between%20Sentinel%20and%20the%20LAW.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOperating%20three%20instances%20of%20Sentinel%20within%20our%20environments%20seems%20like%20it%20won't%20provide%20value%20-%20I'm%20thinking%20about%20lateral%20movement%2C%20and%20the%20ability%20to%20detect%20someone%20gathering%20information%20in%20lesser%20environments%20to%20use%20against%20Prod.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20that%20the%20only%20way%20in%20which%20Sentinel%20can%20use%20multiple%20workspaces%20is%20to%20use%20Lighthouse.%20Is%20this%20a%20valid%20solution%20in%20our%20use%20case%3F%20Will%20it%20provide%20the%20ability%20to%20correlate%20across%20multiple%20LAW%2FSentinel%20instances.%20Or%20is%20this%20a%20sledgehammer%20to%20crack%20a%20nut%20-%20i.e.%20is%20there%20an%20easier%20and%20better%20way%20in%20which%20to%20operate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

We are currently planning a new Azure presence. Each of our environments is distinct (Prod/Pre-Prod/Non-Prod) within different subscriptions with each having its own Log Analytic Workspace. When looking at how we do SIEM with Sentinel we have discovered the one-to-one relationship between Sentinel and the LAW.

 

Operating three instances of Sentinel within our environments seems like it won't provide value - I'm thinking about lateral movement, and the ability to detect someone gathering information in lesser environments to use against Prod.

 

I see that the only way in which Sentinel can use multiple workspaces is to use Lighthouse. Is this a valid solution in our use case? Will it provide the ability to correlate across multiple LAW/Sentinel instances. Or is this a sledgehammer to crack a nut - i.e. is there an easier and better way in which to operate.

 

 

2 Replies
Azure Lighthouse is needed if the workspaces are in different tenants, if the three workspaces are within the same tenant/AAD you can view Incidents across all three from the UI.
See Module 3: https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-le...
and https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-work...
Thanks - I hadn't spotted that. Great!